ngclient: max_root_rotations value is very small #1577
Labels
Comments
|
Per PEP 458, root metadata should expire every year, so we'll want this value to be at least the number of years we anticipate clients will go between updating their local root metadata, plus some extra rotations in case of a compromise. I actually think that 32 should be plenty. |
lukpueh
added
the
discussion
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Please fill in the fields below to submit an issue or feature request. The
more information that is provided, the better.
Description of issue or feature request:
ngclient (like legacy client?) has a
max_root_rotationsvalue of 32, which feels low.The specification suggests a value of 1024 (2^10)
Can we define a way of calculating a sane default for, i.e., PyPI users and update the default accordingly?
The text was updated successfully, but these errors were encountered: